MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

17.8.09

The development of web applications-oriented botnets control and management through the http protocol, is at an advanced level by the underground community of Eastern Europe, particularly from Russia, where cyber criminals constantly flood the market crimeware clandestine marketing packages as Eleonore, ZeuS, ElFiesta, Adrenaline, and many others.

However, this business model that is already implanted, it expands into other territories where cyber-crooks ambition is mirrored by the trend difficult to stop, but with other philosophies: Crimeware Open Source. That is, development of open source software designed to be used for criminal purposes via the Internet.

In this case, it's a family of crimeware designed for control and administration of zombie networks.

This is a series of projects that seek, as the author (whose nickname is "cross"), make clear that the development of botnets in Perl is possible. Under the slogan "x1Machine Remote Administration System" available to the cyber crime organized two projects aimed at manipulation of botnets called Hybrid and TRiAD.

Hybrid Project
The "Hybrid" is the most ambitious. It's written in Perl, runs only on GNU/Linux platforms and allows, as is common in most of the style current crimeware, botnets manage http. While the author states that it was designed for malicious purposes, the legend that is at the interface of version 1 (the image shown below) said Botnet Control System, which is contradictory.

Configuration is done through a small panel which is accessed through the file HyGen.pl.

Version 2 (screenshot) maintains the same features as its predecessor. For the moment, is in a state of "Proof of Concept (PoC). However, it can be manipulated by any cyber-crooks to make it fully functional and add more components to abuse of the undead.

An interesting detail is that its interface is based on BlackEnergy, one of the first botnet-based administration via http designed to perform DDoS (Distributed Denial of Service).

This first version was born in early 2009 and now has three versions that incorporate some more features. It's written in C and through it can carry out three activities harmful: doing attacks Distributed Denial of Service (DDoS), Bindshell (execution of a shell and opening ports) and ReverseShell (notice a zombie connection).

TRIAD HTTP Control System v2 is the second version of the project that evolved into a multiplatform crimeware can be implemented on Windows and GNU/Linux.

This version, in addition to the features present in version 1, it has new features: elimination of the bot, shut down and restart the computer remotely. The following screenshot is for the download page.

Like the second version, TRIAD HTTP Control System v3 is written in C, compiled with GCC and runs under Windows and GNU/Linux. Its features are:

Clearly, this situation is aggravating a number of aspects that make this type of "initiatives" sources ideal for aspiring script kiddies to cyber-criminals for their free status, as for professional developers can tailor their code to add functionality that is adapted to the needs of each buyer (usually botmasters) depending on the platform that you want to explode.